I want to create a central rsyslog server, and I want to create a file per type of log received. I need a filter that will look for specific strings in the incoming messages and then place them in the seperate log files.
So if I see a log from a Cisco device, i will place it in /var/log/remote_cisco.log, if I see a log from another Linux box, I want to place the log in /var/log/remote_linux.log.
So I have created a new config that has a new ruleset, but I an struggling to understand where to put my filters, I want to say something like:
if $msg contains ‘CISCO ASA’ then /var/log/remote_cisco.log
Here is my current basic config file
# Syslog Config to enable a Syslog Server
ruleset(name="remote"){
action(type="omfile" file="/var/log/remote.log") }
# provides UDP syslog reception module(load="imudp") input(type="imudp" port="514" ruleset="remote")
# provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514" ruleset="remote")